> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/user-guide/organization-admin-app/business-owner-default-authority/security-and-governance/enforced-security-policies/ip-based-access-control.md).

# IP-Based access control

### Overview <a href="#overview" id="overview"></a>

IP-based access control allows organizations to **allow or block user access** based on specific IP addresses or IP ranges.\
This feature helps protect organizational resources by restricting access to trusted networks and preventing unauthorized connections.

***

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

If you are new to IP-based access control, start by understanding the policy modes and preparing the IP addresses or ranges you want to manage.

***

### Purpose <a href="#purpose" id="purpose"></a>

IP-based access control is designed to:

* Restrict access to trusted IP addresses or networks
* Block access from untrusted or suspicious IP ranges
* Enhance security for internal systems and administrative access
* Support compliance and security best practices

***

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before configuring IP-based access control, ensure that:

* You have administrator or security management permissions.
* You know the public IP addresses or IP ranges to allow or block.
* You understand the impact of access restrictions on users and integrations.
* You have at least one trusted IP available to avoid accidental lockout.

***

### Policy Modes <a href="#policy-modes" id="policy-modes"></a>

#### Whitelist (Allow) <a href="#whitelist-allow" id="whitelist-allow"></a>

Only users connecting from the specified IP addresses or IP ranges are allowed to access the organization.\
All other IP addresses are denied by default.

**Use this mode when:**

* Access should be limited to trusted corporate networks
* Protecting admin or internal-only systems

***

#### Blacklist (Deny) <a href="#blacklist-deny" id="blacklist-deny"></a>

Users connecting from the specified IP addresses or IP ranges are denied access to the organization.\
All other IP addresses are allowed.

**Use this mode when:**

* Blocking known malicious or untrusted IPs
* Restricting access from specific locations or networks

***

### Supported IP Formats <a href="#supported-ip-formats" id="supported-ip-formats"></a>

You can specify IP addresses or ranges using the following formats:

* **Single IP address**\
  `192.168.1.1`
* **Wildcard format**\
  `192.168.1.*`
* **IP range**\
  `10.0.1.1 – 10.0.1.10`
* **CIDR notation**\
  `192.168.1.0/24`

Multiple IPs or ranges can be entered and separated by commas.

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

Follow the steps below to configure IP-based access control.

***

### Step-by-Step: Configure IP-Based Access Control <a href="#step-by-step-configure-ip-based-access-control" id="step-by-step-configure-ip-based-access-control"></a>

#### Step 1: Open IP Access Control Settings <a href="#step-1-open-ip-access-control-settings" id="step-1-open-ip-access-control-settings"></a>

* Sign in as an administrator : [Oten Admin | Security Policy & User management](https://admin.oten.live/)
* Profile Account → **Admin**
* Welcome page **Admin**
* Click on menu **Security Policy** → **Access Security**
* Click button **Create access security**

***

#### Step 2: Enter Basic Information <a href="#step-2-enter-basic-information" id="step-2-enter-basic-information"></a>

Under **Basic info**, provide the following:

* **Access security code**\
  A unique identifier used to reference this policy.
* **Access security name**\
  A descriptive name to help identify the policy.
* **Description** (optional)\
  Details about the purpose or scope of the policy.

***

#### Step 3: Select Policy Mode <a href="#step-3-select-policy-mode" id="step-3-select-policy-mode"></a>

Choose how access should be controlled:

* **Whitelist (Allow)**
* **Blacklist (Deny)**

***

#### Step 4: Add IP Ranges <a href="#step-4-add-ip-ranges" id="step-4-add-ip-ranges"></a>

* Select **Add condition** and choose **IP Allowlist**.
* Enter one or more IP addresses or IP ranges using the supported formats.
* Review the entered IPs for accuracy.

***

#### Step 5: Review and Create Policy <a href="#step-5-review-and-create-policy" id="step-5-review-and-create-policy"></a>

1. Review all settings and IP ranges.
2. Confirm that at least one trusted IP is allowed if using Whitelist mode.
3. Select **Create access security** to activate the policy.

***

### Result <a href="#result" id="result"></a>

Access to the organization is now allowed or blocked based on the configured IP policy.

***

### Important Notes <a href="#important-notes" id="important-notes"></a>

* IP-based access rules take effect immediately after activation.
* In Whitelist mode, any IP not explicitly listed is denied.
* In Blacklist mode, only listed IPs are denied.
* Incorrect configuration may block legitimate users or integrations.

***

### Security Recommendations <a href="#security-recommendations" id="security-recommendations"></a>

* Use Whitelist mode for sensitive or admin-only access.
* Keep IP policies documented and up to date.
* Review IP rules regularly and remove unused entries.
* Combine IP-based access control with MFA for stronger security.

***

### Summary <a href="#summary" id="summary"></a>

* IP-based access control restricts access using IP addresses or ranges.
* Two policy modes are supported: **Whitelist (Allow)** and **Blacklist (Deny).**
* **Multiple IP** formats are supported for flexibility.
* Proper configuration helps prevent **unauthorized access.**
